皇紀2681年11月10日 – Yuji Noizumi's blog

fail2ban で ssh 不正ログインを試みる輩を接続拒否する運用をしているが、現状こんな感じ。

root@irc:~# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:	63
|  |- Total failed:	1349
|  `- File list:	/var/log/auth.log
`- Actions
   |- Currently banned:	90
   |- Total banned:	241
   `- Banned IP list:	45.141.84.126 5.206.227.16 104.248.168.195 221.181.185.159 112.147.156.78 220.174.25.172 141.98.10.63 221.131.165.62 117.67.110.2 116.110.121.9 115.76.92.187 122.228.235.44 199.19.224.231 110.136.232.7 221.131.165.56 159.223.3.108 14.232.123.232 209.141.59.184 90.66.6.222 46.101.129.22 116.105.74.99 116.110.125.246 115.73.29.5 116.110.99.56 195.133.18.210 128.199.39.118 193.169.254.138 176.125.45.214 159.223.2.20 221.181.185.111 221.131.165.72 165.22.197.22 176.111.173.218 161.97.187.24 116.110.123.44 116.105.163.243 185.213.155.164 115.236.46.199 141.98.10.121 206.189.144.184 119.131.209.186 116.105.216.122 147.78.66.31 37.0.10.28 69.49.228.198 199.19.225.198 64.20.142.67 117.7.122.163 116.110.64.186 171.252.208.77 116.105.77.250 69.136.1.144 45.141.84.10 78.152.192.200 109.91.205.202 83.4.194.64 173.174.124.207 209.141.33.121 141.98.10.60 94.232.46.202 24.148.24.59 75.113.213.108 222.186.42.137 222.187.232.39 141.98.10.109 86.152.79.137 176.111.173.237 134.122.59.237 212.192.246.124 78.198.56.121 134.122.59.223 2.56.59.39 221.131.165.65 221.131.165.33 67.63.94.101 23.24.152.174 141.98.10.81 171.227.197.219 116.98.166.82 116.105.172.23 222.186.30.112 60.170.247.162 221.131.165.50 222.186.180.130 176.111.173.226 221.181.185.94 45.88.137.100 222.186.30.76 209.141.44.165 222.186.42.13

root@irc:~# fail2ban-client status sshd

Status for the jail: sshd

|- Filter

| |- Currently failed: 63

| |- Total failed: 1349

| `- File list: /var/log/auth.log

`- Actions

|- Currently banned: 90

|- Total banned: 241

`- Banned IP list: 45.141.84.126 5.206.227.16 104.248.168.195 221.181.185.159 112.147.156.78 220.174.25.172 141.98.10.63 221.131.165.62 117.67.110.2 116.110.121.9 115.76.92.187 122.228.235.44 199.19.224.231 110.136.232.7 221.131.165.56 159.223.3.108 14.232.123.232 209.141.59.184 90.66.6.222 46.101.129.22 116.105.74.99 116.110.125.246 115.73.29.5 116.110.99.56 195.133.18.210 128.199.39.118 193.169.254.138 176.125.45.214 159.223.2.20 221.181.185.111 221.131.165.72 165.22.197.22 176.111.173.218 161.97.187.24 116.110.123.44 116.105.163.243 185.213.155.164 115.236.46.199 141.98.10.121 206.189.144.184 119.131.209.186 116.105.216.122 147.78.66.31 37.0.10.28 69.49.228.198 199.19.225.198 64.20.142.67 117.7.122.163 116.110.64.186 171.252.208.77 116.105.77.250 69.136.1.144 45.141.84.10 78.152.192.200 109.91.205.202 83.4.194.64 173.174.124.207 209.141.33.121 141.98.10.60 94.232.46.202 24.148.24.59 75.113.213.108 222.186.42.137 222.187.232.39 141.98.10.109 86.152.79.137 176.111.173.237 134.122.59.237 212.192.246.124 78.198.56.121 134.122.59.223 2.56.59.39 221.131.165.65 221.131.165.33 67.63.94.101 23.24.152.174 141.98.10.81 171.227.197.219 116.98.166.82 116.105.172.23 222.186.30.112 60.170.247.162 221.131.165.50 222.186.180.130 176.111.173.226 221.181.185.94 45.88.137.100 222.186.30.76 209.141.44.165 222.186.42.13

3日間で、4回失敗で1週間アク禁。
11/1くらいから、241件アク禁にして、現在90件アク禁中。
151件を釈放。

ログを見てると、18時間間隔で 2回試行するとか、明らかに fail2ban を避けるパターンのやつがいるんだな。

ふと、再犯してるのどれだけだろう? と疑問に思い、調べると、再犯者を長期アク禁にできるとの事で、早速設定変更。

次のコマンドを実行

# vi /etc/fail2ban/jail.local

1	# vi /etc/fail2ban/jail.local

次の設定を追加

[recidive]
enabled = true
bantime  = 31536000 ; 1 year
findtime = 1209600  ; 2 weeks
maxretry = 1

[recidive]

enabled = true

bantime = 31536000 ; 1 year

findtime = 1209600 ; 2 weeks

maxretry = 1

fail2ban.logを調べて、再犯者は2週間以内に1回のログイン失敗でアウト、懲役1年(笑)

【追記 2681/11/20】
maxretry = 1 だと、fail2ban.log で、Ban 1回で作動してしまうので、 2 に変更した。
【/追記 2681/11/20】

root@irc:~# fail2ban-client status recidive
Status for the jail: recidive
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	33
|  `- File list:	/var/log/fail2ban.log
`- Actions
   |- Currently banned:	33
   |- Total banned:	33
   `- Banned IP list:	209.141.33.121 141.98.10.60 94.232.46.202 24.148.24.59 75.113.213.108 222.186.42.137 222.187.232.39 141.98.10.109 86.152.79.137 176.111.173.237 134.122.59.237 212.192.246.124 78.198.56.121 134.122.59.223 2.56.59.39 221.131.165.65 221.131.165.33 67.63.94.101 23.24.152.174 141.98.10.81 171.227.197.219 116.98.166.82 116.105.172.23 222.186.30.112 60.170.247.162 221.131.165.50 222.186.180.130 176.111.173.226 221.181.185.94 45.88.137.100 222.186.30.76 209.141.44.165 222.186.42.13

root@irc:~# fail2ban-client status recidive

Status for the jail: recidive

|- Filter

| |- Currently failed: 0

| |- Total failed: 33

| `- File list: /var/log/fail2ban.log

`- Actions

|- Currently banned: 33

|- Total banned: 33

`- Banned IP list: 209.141.33.121 141.98.10.60 94.232.46.202 24.148.24.59 75.113.213.108 222.186.42.137 222.187.232.39 141.98.10.109 86.152.79.137 176.111.173.237 134.122.59.237 212.192.246.124 78.198.56.121 134.122.59.223 2.56.59.39 221.131.165.65 221.131.165.33 67.63.94.101 23.24.152.174 141.98.10.81 171.227.197.219 116.98.166.82 116.105.172.23 222.186.30.112 60.170.247.162 221.131.165.50 222.186.180.130 176.111.173.226 221.181.185.94 45.88.137.100 222.186.30.76 209.141.44.165 222.186.42.13

その条件でも、33件該当。
1週間アクセス不能だったとしても、スクリプトでやり続けてんだろうなあ。

日: 皇紀2681年11月10日

【作業記録】fail2ban 再犯長期jail

皇紀2681年11月
日	月	火	水	木	金	土
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30